diff options
Diffstat (limited to 'roles/relayd/templates')
| -rw-r--r-- | roles/relayd/templates/relayd.conf.j2 | 38 |
1 files changed, 17 insertions, 21 deletions
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2 index b66ffa7..67b9e13 100644 --- a/roles/relayd/templates/relayd.conf.j2 +++ b/roles/relayd/templates/relayd.conf.j2 @@ -6,10 +6,11 @@ log connection errors # hosts table <local> { 127.0.0.1 } -{% call(h) macros.loop_valid_hosts("servers") -%} -table <{{ h.inventory_hostname }}> { {{ h.__ip.internal }} } -{% for name, rules in h.relayd_rules.items() if rules.domain is defined %} -table <{{ h.inventory_hostname }}_{{ rules.domain }}> { {{ h.__ip.internal }} } +{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} +{% set relayd_rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %} +table <{{ h.inventory_hostname }}> { {{ relayd_rule_ip }} } +{% for rule in h.relayd_rules %} +table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} } {% endfor %} {%- endcall %} @@ -17,8 +18,8 @@ table <{{ h.inventory_hostname }}_{{ rules.domain }}> { {{ h.__ip.internal }} } http protocol "https" { - tls ciphers "HIGH:!AES128:!kRSA:!aNULL" - tls ecdhe "P-384,P-256,X25519" + tls ciphers "{{ relayd_tls_ciphers | join(':') }}" + tls ecdhe "{{ relayd_tls_elliptic_curves | join(',') }}" tcp { sack, backlog 128 } @@ -31,13 +32,10 @@ http protocol "https" { match response header set "Referrer-Policy" value "no-referrer" match response header set "X-XSS-Protection" value "1; mode=block" - tls keypair "{{ relayd_domain_name }}" - pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local> -{% call(h) macros.loop_valid_hosts("servers") -%} -{% for name, rules in h.relayd_rules.items() if rules.domain is defined %} - {% set domain_name = rules.domain ~ "." ~ relayd_domain_name -%} - tls keypair "{{ domain_name }}" - pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ rules.domain }}> +{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} +{% for rule in h.relayd_rules %} + tls keypair "{{ rule.domain }}" + pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}> {% endfor %} {%- endcall %} @@ -50,11 +48,9 @@ http protocol "http" { # acme pass request quick path "/.well-known/acme-challenge/*" forward to <local> - pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local> -{% call(h) macros.loop_valid_hosts("servers") -%} -{% for name, rules in h.relayd_rules.items() if rules.domain is defined %} - {% set domain_name = rules.domain ~ "." ~ relayd_domain_name -%} - pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ rules.domain }}> +{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} +{% for rule in h.relayd_rules %} + pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}> {% endfor %} {%- endcall %} @@ -74,9 +70,9 @@ relay "wwwtls" { listen on egress port 443 tls protocol "https" forward to <local> port 80 check http "/" code 200 -{% call(h) macros.loop_valid_hosts("servers") -%} -{% for name, rules in h.relayd_rules.items() if rules.domain is defined %} - forward to <{{ h.inventory_hostname }}_{{ rules.domain }}> port {{ rules.port }} check tcp +{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} +{% for rule in h.relayd_rules %} + forward to <{{ h.inventory_hostname }}_{{ rule.name }}> port {{ rule.port }} check tcp {% endfor %} {%- endcall %} } |